Sunday, 4 February 2018

Decryptor for MoneroPay Ransomware

The ransomware and password stealer in one application detected as 'MoneroPay' impersonates itself as the SpriteCoin cryptocurrency. The fraud was discovered by MalwareHunterTeam on January 13, 2018.

The ransomware uses the Salsa20 crypto algorithm to encrypt files. The MoneroPay generates 128-bit key based on C&C address ‘jmqapf3nflatei35.onion’, %COMPUTERNAME%, %USERNAME%, and %USERPROFILE% strings. Therefore, it is essential to run the MoneroPay decryptor on the same computer from where the files have been encrypted.

To decrypt the files encrypted by MoneroPay ransomware:

Caution: Use the decryptor at your own risk. We are not responsible for any damage that it may cause.

Backup the encrypted files that have the extension ‘.encrypted’ before decryption.